
United States Patent and Trademark Office 



UNITED ST^HFES>DEPARTMENT OF COMMERCE 
Unitec^tiifeslPatein and Trademark Office 
Addr^COMMISSiqNER FOR PATENTS 
11450 

■"AlexandJa-virginia 22313-1450 
www.uspio.gov 



I ATTORNEY DOCKET NO. I CONFIRMATION NO. | 



APPLICATION NO. 



FILING DATE 



FIRST NAMED INVENTOR 



09/886,146 



22801 



06/20/2001 



02/27/2006 



7590 

LEE & HAYES PLLC 

421 W RIVERSIDE AVENUE SUITE 500 

SPOKANE, WA 99201 



John E. Brezak 



MS1-886US 



5712 



EXAMINER 



] 



BARQADLE, YASIN M 



ART UNIT 



PAPER NUMBER 



2153 



DATE MAILED: 02/27/2006 



Please find below and/or attached an Office communication concerning this application or proceeding. 



PTO-90C (Rev. 10/03) 



Office Action Summary 


Application No. 

09/886.146 


Appllcant(s) 

BREZAK ET AL. 


cxanriiner 

Yasin M. Barqadle 


Art Unit 

2153 





- The MAILING DATE of this communication appears on the cover sheet with the correspondence address - 
Period for Reply 



A SHORTENED STATUTORY PERIOD FOR REPLY IS SET TO EXPIRE 3 MONTH(S) OR THIRTY (30) DAYS, 
WHICHEVER IS LONGER, FROM THE MAILING DATE OF THIS COMMUNICATION. 

- Extensions of time may be available under the provisions of 37 CFR 1 .136(a). In no event, however, may a reply be timely filed 
after SIX (6) MONTHS from the mailing date of this communication. 

- If NO period for reply is specified above, the maximum statutory period will apply and will expire SIX (6) MONTHS from the mailing date of this communication. 

- Failure to reply within the set or extended period for reply will, by statute, cause the application to become ABANDONED (35 U.S.C. § 133). 
Any reply received by the Office later than three months after the mailing date of this communication, even if timely filed, may reduce any 
earned patent term adjustment. See 37 CFR 1.704(b). 

Status 

1)^ Responsive to communication(s) filed on 23 November 2005 . 
2a)S This action is FINAL. 2b)n This action is non-final. 

3) 0 Since this application is in condition for allowance except for fomnal matters, prosecution as to the merits is 

closed in accordance with the practice under Ex parte Quayle, 1 935 CD. 1 1 , 453 O.G. 21 3. 

Disposition of Claims 

4) 13 Clalm(s) 1,2,4-17, 19-27,29-35,38-41. 43-50.52-58,60 and 61 is/are pending in the application. 

4a) Of the above claim(s) is/are withdrawn from consideration. 

5) 0 Claim(s) Is/are allowed. 

6) 13 Claim(s) 1.2.4-17.19-27,29-35,38-41,43-50,52-58.60 and 61 is/are rejected. 
?)□ Claim(s) is/are objected to. 

8) 0 Claim(s) are subject to restriction and/or election requirement. 

Application Papers 

9) 0 The specification is objected to by the Examiner. 

10) 0 The drawing(s) filed on is/are: a)n accepted or b)n objected to by the Examiner. 

Applicant may not request that any objection to the drawing(s) be held in abeyance. See 37 CFR 1.85(a). 
Replacement drawing sheet(s) including the correction is required if the drawing(s) is objected to. See 37 CFR 1.121(d). 

11) 0 The oath or declaration is objected to by the Examiner. Note the attached Office Action orfonn PTO-152. 

Priority under 35 U.S.C. § 119 

12) 0 Acknowledgment is made of a claim for foreign priority under 35 U.S.C. § 119(a)-(d) or (f). 
a)n All b)n Some * c)^ None of: 

1 .□ Certified copies of the priority documents have been received. 

2. n Certified copies of the priority documents have been received in Application No. . 

3. n Copies of the certified copies of the priority documents have been received in this National Stage 

application from the International Bureau (PCT Rule 17.2(a)). 
* See the attached detailed Office action for a list of the certified copies not received. 
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PTOL-326 (Rev. 7-05) Office Action Summary Part of Paper No./Mail Date 20060215 



Application/Control Number: 09/886,146 Page 2 

Art Unit: 2153 

Response to Amendment 

Applicant's arguments filed on November 23, 2005 have been considered but are not 
deemed persuasive. 

• Claims 3,18, 28, 42,51 and 59 are canceled. 

• Claims 1,4-5,12,16, 19-20, 26,29-30,38,40,43-44, 49, 52-53, 58 and 60-61 are amended. 

• Claims 1-2,4-17, 19-27,29-35,38-41,43-50,52-58 and 60-61 are presented for 
examination. 



Response to Amendment 

In response to Applicant's arguments in page 26 first paragraph that "Fox does not 
disclose identifying a target service" and that "Fox neither teaches nor suggests causing a 
server to request access to a target service." Examiner notes that Fox teaches "During the 
first step (illustrated in figure 1 b), the client uses the proxy as an intelligent router to obtain a 
TGT, which will then be managed by the proxy. From the point of view of the KDC and TGS, 
the proxy appears to be a normal Kerberos client during this phase. " (Fox, page 157, 
paragraphe 3). Fox clearly teaches the client using the proxy causing to obtain a TGT which 
will be managed by the proxy. Furthermore, fox teaches 'access to a service is requested by 
presenting the TGS with a ticket and an authenticator, and the name of the desired service 
(Fox, page 158, section 2.3 paragraph 1). Applicant also argues that "Fox no where discloses 
" a target service," let alone causing a server to request access to such a client service." (Page 
27, paragraph 1). Examiner notes that Fox teaches "the proxy can then interact with the 
service on the client's behave (messages 15 and 16). For example, the proxy can securely 
retrieve mail via a Kerberized POP service," (Fox, page 158, section 2.3 paragraph 2). 
Furthermore, Fox teaches the proxy accessing Kerberized services on the cUent's behalf 
"Charon interaction consists of two distinct phases: the handshake phase, in which the 
client authenticates itself to the proxy via Kerberos and establishes a secure channel 
with it, and the service access phase, in which the proxy accesses Kerberized services on 
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the client's behalf. The Charon protocol module on the proxy and the Charon client side 
software are responsible for the flow of control during both phases." (Fox, page 157, 
paragraphe 2). 

Applicant argues that Fox does not describe issuance of a new service credential to a 
server in the name of the client rather than the server (page 27, paragraph 3). Examiner 
notes that Fox teaches " An alternative approach to service access that places more trust 
in Charon is for the client to reveal Kc,tgs to Charon over the established secure channel, 
thus allowing Charon to negotiate for Kerberized services directly." (Fox, page 158, 
section 2.3 paragraphe 3). 

Claim Rejections - 35 USC § 102 

The following is a quotation of the appropriate paragraphs of 35 U.S.C. 102 that form the basis 
for the rejections under this section made in this Office action: 

A person shall be entitled to a patent unless — 

(b) the invention was patented or described in a printed pubhcation in this or a foreign country or in public use 
or on sale in this country, more than one year prior to the date of application for patent in the United States. 

Claims 1-2,3-35, 38-41, 43-46, 48-50,52-55, 57-58, and 60-61 are rejected under 35 U.S.C. 
102(b) as being anticipated by Fox et al. ("Security on the Move: Indirect Authentication Using 
Kerberos'\ 1996, hereinafter "Pox"). Fox discloses indirect authentication using Kerberos. Fox 
shows, 

In referring to claims 1,4-5, 12, 16, 19-20, 26,29-30, 31, 33, 35 

• identifying a target service to which access is sought on behalf of a client; and causing a server 
operatively coupled to the client to request access to the target service on behalf of the client, 
from a trusted third party: "Charon interaction consists of two distinct phases: the 
handshake phase, in which the client authenticates itself to the proxy via Kerberos and 
establishes a secure channel with it, and the service access phase, in which the proxy 
accesses Kerberized services on the client's behalf The Charon protocol module on the 
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proxy and the Charon dient side software are responsible for the flow of control during 
both phases." (Fox, page 157, paragraphs 2 and 3) the server provides the trusted third 
party with: 

• a service credential authenticating the server, information about the target service, and a 
service credential previously provided by the cUent for the service, and wherein the chent ticket 
includes implementation-specific identity information: 

"During the first step (illustrated in figure 1 b), the client uses the proxy as an intelligent router 
to obtain a TGT, which will then be managed by the proxy. From the point of view of the KDC 
and TGS, the proxy appears to be a normal Kerberos client during this phase, " (Fox, page 
157, paragraphe 3) 

In referring to claim 2, 17, 27, 32, 

• The trusted third-party includes at least one service selected from a group of services 
comprising a key distribution center (KDC) service, A certificate granting authority service, 
and A domain controller service: 

Fox Fig. 1 shows the trusted third party includes a KDC. 
In referring to claim 6, 8, and 21, 

• Causing the trusted third-party to verify that the client has authorized delegation: 
Verifying authorized delegation is inherently implied in a system that uses Kerberos 

In referring to claims 7 and 22, 

• The trusted third-party includes a key distribution center (KDC): 
Fox Fig.l shows the trusted third party includes a KDC 

Causing the trusted third-party to verify that the client has authorized delegation includes 
verifying the status of a restriction placed on the ticket originating from the client: 
Verifying authorized delegation is inherently implied in a system that uses Kerberos 

In referring to claim 9, 23, and 34, 
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• The server is a front-end server with respect to a back-end server that is coupled to the front- 
end server: 

The proxy is a front-end server with respect to the client 

• The back-end server is configured to provide the target service to which access is sought. 
The target service is a back -end server with respect to the client 

In referring to claims 10 and 24, 

• The trusted third -party includes a key distribution center (KDC): 
Fox Fig. 1 shows the trusted third party includes a KDC 

• The KDC provides a ticket-granting-ticket associated with the client to the client; and the 
client does not provide the ticket granting ticket to the server: 

"During the first step (illustrated in figure 1 b), the client uses the proxy as an intelligent router 
to obtain a TGT, which will then be managed by the proxy, " (Fox, page 157, paragraphe 3) 

In referring to claims 1 1 and 25, 

• The trusted third-party includes a key distribution center (KDC): 
Fox Fig. 1 shows the trusted third party includes a KDC 

• The server requests the new credential in a ticket granting service request message that 
includes a service ticket provided by the client to the server: 

"During the first step (illustrated in figure I b), the client uses the proxy as an intelligent router 
to obtain a TGT, which will then be managed by the proxy, " (Fox, page 157, paragraphe 3) 

In referring to claims 13, 14, and 15, 

The implementation-specific identity information includes information selected from a group 
comprising privilege attribute certificate (PAC) information, security identifier information, 
Unix identifier information, Passport identifier information, certificate information: The 
system of Fox contains security identifier information 

In referring to claim 38, 

• separately authenticating a server and a client; providing the client with a client ticket 

granting ticket and a service ticket for use with the server: 
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"the client authenticates itself to the proxy via Kerberos and establishes a secure channel with 
it, and the service access phase** (Fox, page 157, paragraph 2) 

• providing the server with a server ticket granting ticket; providing the server with a new 
service ticket for use by the server for use with a new service without requiring the server to 
have access to the client ticket granting ticket: 

"During the first step (illustrated in figure 1 b), the client uses the proxy as an intelligent router 
to obtain a TGT, which will then be managed by the proxy. From the point of view of the KDC 
and TGS, the proxy appears to be a normal Kerberos client during this phase, " (Fox, page 
157, paragraphe 3) 

In referring to claim 39, 

• Causing the server to request the new service ticket on behalf of the client by forwarding the 
server ticket granting ticket, information identifying the new service, and the service ticket to a 
trusted third party: 

During the first step (illustrated in figure J b), the client uses the proxy as an intelligent 
router to obtain a TGT, which will then be managed by the proxy. From the point of 
view of the KDC and TGS, the proxy appears to be a normal Kerberos client during this 
phase. " (Fox, page 157, paragraphe 3) 

In referring to claims 40, 48, 49, 57, and 58, 

• Identifying a target service to which access is sought on behalf of a cUent that has been 

authenticated using a first authentication method; 

"the client authenticates itself to the proxy via Kerberos and establishes a secure channel with 
it, and the service access phase*' (Fox, page 157, paragraph 2) 

• Causing a server that is operatively coupled to the target service and the client to request a 
service credential to itself from a second authentication method trusted third-party by 
identifying the client and the first authentication protocol: 

• The server communicates with the client via the first authentication protocol which inherently 
implies identifying the cUent and the first authentication protocol 

• Causing the server to request a new service credential, for use by the server and the target 
service, from the second authentication method trusted third-party, wherein the server provides 
the trusted third-party with a credential authenticating the server, information about the target 
service, and the service credential to itself. 
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^'Charon interaction consists of two distinct phases: the handshake phase, in which the chent 
authenticates itself to the proxy via Kerberos and establishes a secure channel with it, and the 
service access phase, in which the proxy accesses Kerberized services on the client's behalf 
The Charon protocol module on the proxy and the Charon client-side software are 
responsible for the flow of control during both phases, " (Fox, page 157, paragraphe 2) 

In referring to claims 40 and 50, 

• The second authentication method trusted third-party includes at least one service 
selected from a group of services comprising a key distribution center (KDC) service, a 
certificate granting authority service, and a domain controller service: Fox Fig.! shows 
the trusted third party includes a KDC 

In referring to claims 42, 5 1, and 59, 

• The new service credential is granted in an identity of the client rather than an identity of 

the server: 

"During the first step (illustrated in figure 1 b), the chent uses the proxy as an intelligent 
router to obtain a TGT, which will then be managed by the proxy." (Fox, page 157, 
paragraphe 3) 

In referring to claims 43, 52, and 60, 

• The service credential is configured for use by the server and the target service to which 
access is sought. 

"From the point of view of the KDC and TGS, the proxy appears to be a normal Kerberos 
client during this phase. " (Fox, page 157, paragraphe 3) 
In referring to claims 44, 53, and 61, 

• The credential authenticating the server includes a ticket granting ticket associated with 
the server. 

"From the point of view of the KDC and TGS, the proxy appears to be a normal Kerberos 
client during this phase. " (Fox, page 157, paragraphe 3) 



In referring to claims 45 and 54, 
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• Upon receiving a request for the new service credential from the server, causing the second 
authentication method trusted third-party to verify that the client has authorized delegation: 

Verifying authorized delegation is inherently implied in a system that uses Kerberos 
In referring to claims 46 and 55, 

• The server is a front-end server with respect to a back-end server that is coupled to the 
front-end server; The proxy is a front-end server with respect to the client 

• The back-end server is configured to provide the target service. The target service is a back 
-end server with respect to the client 

Claim Rejections - 35 USC § 103 

The following is a quotation of 35 U.S.C. 103(a) which forms the basis for all obviousness 
rejections set forth in this Office action: 

(a) A patent may not be obtained though the invention is not identically disclosed or described as set forth in 
section 102 of this title, if the differences between the subject matter sought to be patented and the prior art are 
such that the subject matter as a whole would have been obvious at the time the invention was made to a 
person having ordinary skill in the art to which said subject matter pertains. Patentability shall not be 
negatived by the maimer in A\duch the invention was made. 

Claims 47 and 56 are rejected under 35 U.S.C. 103(a) as being unpatentable over Fox in view 
of Freier et al. ("The SSL Protocol Version 3.0", 18 Nov 1996, hereinafter "Freier"). Although 
Fox shows substantial features of the claimed invention, Fox does not show using SSL as the 
first authentication method. Nonetheless this feature is well known in the art and would have 
been an obvious modification to the system disclosed by Fox as evidenced by Freier. 

In analogous art, Freier discloses SSL version 3,0, Freier shows SSL can be used to provide 
communication privacy over the Internet, 

Given these teachings, a person of ordinary skill in the art would have readily recognized the 
desirability and advantages of modifying the system of Fox so as to use SSL, such as taught 
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by Freier, in order to provide security for applications that don't support Kerberos 
authentication (For example, Outlook and Netscape email clients). 

Conclusion 

ACTION IS MADE FINAL. See MPEP § 706.07(a). Applicant is reminded of the 
extension of time pohcy as set forth in 37 CFR 1. 136(a). 

A shortened statutory period for reply to this final action is set to expire THREE 
MONTHS from the mailing date of this action. In the event a first reply is filed within 
TWO MONTHS of the mailing date of this final action and the advisory action is not 
mailed until after the end of the THREE-MONTH shortened statutory period, then the 
shortened statutory period will expire on the date the advisory action is mailed, and any 
extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the 
advisory action. In no event, however, will the statutory period for reply expire later than 
SIX MONTHS from the date of this final action. 

The prior made of record and not reUed upon is considered pertinent to applicant's 
disclosure. 

Any inquiry concerning this communication or eariier communications from the 
examiner should be directed to Yasin Barqadle whose telephone number is 571-272- 
3947. The examiner can normally be reached on 9:00 AM to 5:30 PM. 
If attempts to reach the examiner by telephone are unsuccessful, the examiner's 
supervisor, Glenn Burgess can be reached on 571-272-3949. The fax phone numbers for 
the organization where this application or proceeding is assigned are 703-872-9306 for 
regular communications and 703-746-7238 for After Final communications. 
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Any inquiry of a general nature or relating to the status of this application or proceeding 
should be directed to the receptionist whose telephone number is 703-305-3900. 
Information regarding the status of an application may be obtained form the Patent 
Application Information Retrieval (PAIR) system. Status information for published 
appUcations may be obtained from either private PAIR or pubUc PAIR system. Status 
information for unpublished applications is available through private PAIR only. For 
more information about the PAIR system, see http://pair-direct.uspto.gov. Should you 
have questions on access to the Private PAIR system, contact the Electronic Business 
Center (EBC) at 866-217-9197 (toll-free). 
YB 
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